CVE-2026-27139 PUBLISHED

FileInfo can escape from a Root in os

Assigner: Go
Reserved: 17.02.2026 Published: 06.03.2026 Updated: 06.03.2026

On Unix platforms, when listing the contents of a directory using File.ReadDir or File.Readdir the returned FileInfo could reference a file outside of the Root in which the File was opened. The impact of this escape is limited to reading metadata provided by lstat from arbitrary locations on the filesystem without permitting reading or writing files outside the root.

Product Status

Vendor	Go standard library
Product	os
Versions	Default: unaffected affected from 0 to 1.25.8 (excl.) affected from 1.26.0-0 to 1.26.1 (excl.)

Credits

Miloslav Trmač of Red Hat

References

https://groups.google.com/g/golang-announce/c/EdhZqrQ98hk
https://go.dev/issue/77827
https://go.dev/cl/749480
https://pkg.go.dev/vuln/GO-2026-4602

Problem Types

CWE-363: Race Condition Enabling Link Following